PS3 Exploit: Hardware

[source: xorloser @ xorloser.com] This post will deal with the hardware required to trigger the PS3 hypervisor memory access exploit. The purpose of the hardware is to stop the PS3 from saving a change to a value that we don’t want changed. The PS3 saves this changed value by writing the value to RAM. Therefore in order to stop it from saving the changed value we need to stop this write from occurring. The PS3 sends the write command to the RAM over some control lines, so we interfere with these control lines when the write command is sent. The result we want is having the PS3 think it has successfully written the value to RAM, but the RAM didn’t receive the write command due to our interference and so it did not perform the write operation. The easiest (and moderately safe) way to interfere with these control lines is to ground them. This is done easily enough by connecting a wire between one of the control lines and ground. The tricky part is timing it just right so that it only interferes with the write we want to stop, and not anything that occurs before or after this write. This might be achievable with costly equipment and a lot of work, however geohot used the simple method of "luck". This involves repeatedly preparing the situation to best favour the chance of overwriting the correct write command and then continually grounding a control line until either something crashes that shouldn’t or the mark is hit stopping the write operation from occurring. At this point the exploit has been successfully triggered!

Now that you know how it works it is time to implement it. A connection is required to the control line that will be grounded as well as a connection to ground. These two wires then need to be connected to each other momentarily. If you were to try and do this manually as fast as you could you might connect them for a millisecond or so, however RAM control lines are very fast so 1ms is going to interfere with way too many commands. Instead these lines need to be connected to some hardware that is able to bridge the connection between then for very small periods of time at once. Geohot suggests a connection period of 40 nanoseconds.

There are many ways that some hardware can be made to perform this short connection. Geohot used an FPGA he had on hand in order to do it. Others have suggested using a 555 timer, however I have not heard of anyone having any success with this method. I used a small sx28 microcontroller I had on hand due to using it for a project some years ago. It runs at 50MHz with an instruction cycle of 20 nanoseconds, which means it should be fast enough to provide the 40 nanosecond connection required.

The first step is to take apart your PS3 in order to expose the top side of the motherboard. Once you do so look for one of the following areas on it depending on what version PS3 you have.

This first picture is from an old 60GB PS3 which came with the 4 USB ports and the card readers. You can see I have soldered a wire to the side of a resistor. This is the connection to the PS3 RAM control line that you need to solder on. I suggest you route this wire down and then to the left of the two pronged power plug you can see. My wire continues downward in this picture, but I found that doing so caused interference in the wire that would unintentinally trigger RAM corruptions. To avoid this you should route it to the left underneath the power plug so that it then comes out of the left side of the PS3 case. You can use a long wire during installation, but try to keep it short when you finalise its routing and final positioning. You can see I used a hot glue gun to ensure any stress placed on the wire will not pull at the solder joint.

This second picture is from an 80GB PS3 with 2 USB ports and no card readers. This was the model that was out just before the "fat" PS3s were replaced by the "slim" PS3s, so it is a newer motherboard revision where there are two RAM chips on both sides of the motherboard instead of all four on one side. In this picture I have circled the trace you should solder to for your RAM control line connection. In order to solder to this I used a craft knife to carefully scratch the paint off the top of the trace to expose the copper underneath which I then soldered a wire to. Once connected you should route this wire straight down towards the front of the case to best avoid interference in the wire from other parts of the PS3. Once again try to keep the final wire nice and short.

Next you need to get a ground connection. This is done the same way for both motherboard versions and is very easy. You can just wrap a wire around any of the metal screws that screw into the metal shielding that covers the top of the motherboard. You don’t even need to solder it, just wrap it under the screw head and screw it into place This wire should be routed out of the console next to to your other control line wire.

The above two wire connections are common to any implementation of a hardware trigger. The following is specific to how I did my hardware trigger but you may implement your trigger however you want. Note that I initially tried wiring 5 Volts of power out next to these lines but doing so continually resulted in unwanted interference in the control line causing the PS3 to crash while booting.

For my hardware trigger I used an SX28 microcontroller which I bought years ago as part of this programming kit. To use the SX28 you need the SX28 chip, a way of programming the chip (usually an SX-Key or SX-Blitz) and an oscillator to drive the SX28 chip at 50MHz. All of these are included in the above programming kit. Maybe if enough people buy from them and mention xorloser they’ll send me a USB version of the SX-Key instead of my old serial based one :/

Below is a crappy schematic of my circuit which I drew in windows paint. Please note that I am using the programming kit I mentioned above which utilises the SX-Key programmer in place of an oscillator while the SC-Key is attached. I do not have an external oscillator so I’ll leave the hooking up of that to you. Just take note that you do need either an oscillator or SX-Key attached in order to make the chip run.

This SX28 sourcecode is the last piece of the puzzle. Program this to your SX28 chip using the free SX-Key Editor software from the Parallax. Once this is all hooked up to your PS3 you should be able to send a "pulse" (grounding of the control line) to the PS3 by pressing the switch. You should use a temporary-on push button switch to do so since it will keep sending pulses every 100ms if the switch stays connected. The LED on the right side of the schematic is just there to give the operator some feedback. It will light up when a pulse is sent to let you know that the circuit is working as it should. I should mention that if you look at my SX28 sourcecode you will see that it appears as if I am sending a 360 nanosecond long pulse. I do not know how long the pulse is that actually gets sent as I do not have any hardware that I can measure the pulse with (yet). Possibly there are hardware induced delays that occur when changing the direction of the port which means that although I am waiting 360 ns, it still only sends a pulse that is about 4o ns. To arrive at the 360 ns value I tried many values making the pulse as short as I could until it didn’t trigger anymore, then I increased it just a little bit to get the shortest pulse that still works.

Phew, this is finally the end of this post. My next post will tie it all together along with some software I have written to dump your own hypervisor and more. Cya.

----

PS3 Exploit Setup

This is the PS3 with the newer motherboard where the socket I installed in the front actually looks nice, the other one was a bit of a hack job